YouTube No Cookies Adds Cookies

Programming - Apr 19, 2024

An illustration of a chocolate chip cookie on a purple background.

It’s counterintuitive and misleading, but if you use YouTube’s no cookies domain, YouTube will still set cookies when someone starts playing a video.

I recently discovered this on a website where we can’t use a cookie consent banner. The best way to comply with privacy laws was to avoid cookies and personally identifiable information.

We removed Google Analytics. We didn’t need cookies for the custom functionality we built. The only third-party service we used was YouTube, and we were using the no cookie version of YouTube.

We thought we had succeeded in building a cookie-free site. On the contrary.

I have since learned that YouTube no cookies isn’t a real feature. Instead, it is called YouTube Enhanced Privacy Mode. The reason many people call it YouTube no cookies is because the way to turn on YouTube Enhanced Privacy mode is by switching the domain that you use to embed videos from: language: plaintext (plaintext)

to: language: plaintext (plaintext)

You would be forgiven for thinking that a domain that says nocookie wouldn’t set a cookie, but that’s not what happens. Per Axbom describes how YouTube’s “Enhanced Privacy Mode” actually works:

  1. If you use the domain, there is no cookie set when the page with the YouTube embed loads.
  2. Instead, YouTube utilizes something called Local Storage in your browser to store a unique device identifier. Note that this is done without anyone’s consent and GDPR is violated already in this step. GDPR is not only about cookies.
  3. As soon as a user presses Play on the video, a cookie from YouTube is set. Whether or not consent has been given from the viewer. The second violation of informed consent in the same embed.

Given this behavior, naming the domain nocookie seems Orwellian.

After I discovered that YouTube was setting cookies and reading Per’s excellent summary of the issue, I found news articles from 2009—shortly after the feature was released—that point out “YouTube’s new ‘nocookie’ feature continues to serve cookies.” It has been this way from the beginning.

But I’m not the only one who was fooled. It isn’t hard to find articles on privacy and GPDR compliance that advocate for using without mentioning that YouTube will still set cookies if you use that domain.

So I’m still kicking myself for not double-checking to make sure cookies weren’t getting set. Trust, but verify as it were.

But mostly, I’m mad at YouTube. It can’t be a surprise that many people thought this feature wouldn’t set cookies. It’s right there in the domain name.

Previous Next
We respect the property rights of others, and are always careful not to infringe on their rights, so authors and publishing houses have the right to demand that an article or book download link be removed from the site. If you find an article or book of yours and do not agree to the posting of a download link, or you have a suggestion or complaint, write to us through the Contact Us .
Read More